Who hasn’t heard all about customizable injection attacks such as JavaScript and SQL against web applications? Raise your hand, err, click your mouse! While most of you will acknowledge these hacker methods are “old school” and you’re protected, you may not be aware of the budding use of XPath injection attacks. Well, you should be. With the accelerating use of Web services, Rich Internet Applications (RIA), and basic XML APIs, many operations are utilizing XML as a method for everything from configuration files to remote procedure calls. Some IT administrators are even going so far as to use XML documents as opposed to relational databases or traditional flat files. Like any relatively new technology, as its adoption rises, so do the attacks against it.

It’s important to know that XML is just as susceptible as HTML and other formats to code injection methods. As XML is very generous when it comes to accepting poor typing and XPath parsers are merciful to input data, XML is all the more at risk. As per Wikipedia, injection attacks are “… a technique to introduce (or “inject”) code into a computer program or system by taking advantage of the unenforced and unchecked assumptions the system makes about its inputs. The purpose of the injected code is typically to bypass or modify the originally intended functionality of the program. When the functionality bypassed is system security, the results can be disastrous.”

XPath is a language for finding information in an XML document and includes path expressions to select attributes, elements or text nodes; the XPath name is derived from the use of path expressions similar to URLs for navigating XML documents. This process uses syntax for defining parts of these documents and contains a library of over 100 built-in standard functions including string values, numeric values, date and time comparison, node and QName manipulation, sequence manipulation, and Boolean values.

The XPath injection attack vector operates in an analogous way to SQL injection. Most Web-based applications leverage relational databases to store and retrieve information. In turn authentication is typically used where the login process will invariably use a table with IDs, names, and passwords. In a SQL injection attack the hacker injects code such that regardless of the subsequent user credentials, the system will see a match and the hacker gains unfettered access to the database. With XPath, the environment is similar except that there is a XML file present with user information. In an XPath injection attack hackers tack on malicious XPath queries to forms, URLs, among others, to bypass authentication and obtain access to confidential data. Once compromised this information is leaked and often maliciously modified. With XPath 2.0 taking over from the first generation, the list of injection and other XML hacker concerns only go up!
So what to do? Job one is to inspect all data prior to arrival at the Web server. By using a NetScaler Application Firewall with NetScaler operating system version 9.2 you are protected against not just XPath injection, but dozens of other attacks aimed at the applications and back-end databases. NetScaler utilizes a reverse proxy design and automatically checks all data passing to and from your Web servers. Traffic inspection allows automatic checking for things like single and double quotes and can be configured to disallow them. Special characters are often used in attacks and NetScaler blocks them too. NetScaler prevents XPath injection attacks by using the Custom Settings feature and leveraging an XPath pattern database; these settings are dynamic as they are field customizable and upgradable. Simply import SQL injection, cross-site scripting and other attack vector keywords, tags, and characters to the NetScaler configuration and bind these custom settings to the application firewall profile. View the “How to Configure the XPath Injection Prevention Feature in NetScaler” videofor more details. NetScaler XML-specific security protection goes way beyond XPath. For instance, schema validation thoroughly verifies SOAP messages and XML payloads and XML-based attachments are thoroughly inspected and attachments with executable content are blocked.

I don’t want to leave you with the impression that XML is to be avoided. The reality is that most applications based on XML are not at high risk to XPath injection attacks. XML applications are not at any more peril than other types. However, with the growing use of RIA and Ajax, the threat is present and growing. Many search engines, particularly Google, are big proponents of XML and use it for many reasons including persistence and back-end service communications. Don’t get caught short; get protected with the ultimate in application security with NetScaler. It has the great combination of full application security, multi-gigabit performance and ease of deployment and use with automatic learning.

Share

Tagged under:

John Gudmundson is a senior product marketing manager at Citrix, responsible for Citrix NetScaler and NetScaler Application Firewall. Mr. Gudmundson has over 15 years of product marketing, product management and engineering expertise. His high tech experience includes application delivery controllers, security appliances, networking and telecommunications. He holds an MBA from the University of Southern California, a BSEE from UCLA and a BSBA from U.C.-Berkeley.